When designing for security it is important to know who your adversary is and where they might lurk. With this in mind, encryption is able to protect data from three sets of parties:
- First party – malicious insider
- Second party – the cloud provider
- Third party – hackers/cybercriminals
Client-side encryption – where users encrypt their own data, with their own key – is always favoured by cryptographers and security experts because it reduces the number of parties via which an attack or data breach could happen.
Server-side encryption with server held keys – where users give regular (unencrypted) data to their cloud provider, with the latter encrypting it at their end – is sometimes favoured by developers because it means that there are no changes required throughout the development process.
The reality is, however, that server-side encryption with server held keys doesn’t actually protect against third parties – and access-level misconfigurations can make it absolutely useless. The role of encryption should be to provide an extra layer of protection, additional to access credentials. Server-side encryption doesn’t do this because it uses access credentials to determine who to decrypt data to!
So what do most people do? Most implement either no security – which costs nothing but gives zero protection – or server-side encryption, because it’s simple and convenient. This choice is reflected by research showing that 96% of breached data is not encrypted (http://ibmsystemsmag.com/mainframe/trends/security/enterprise-encryption/ ) leaving organisations’ valuable information open to manipulation by cybercriminals.
Only client-side encryption offers full protection against second and third parties. To demonstrate this; say, due to a phishing attack, a company’s cloud storage account credentials are compromised and their data is exposed. If the cloud server holds the keys, it will decrypt the data and serve it to the attacker. In order for encryption to be most effective, the encryption key must be kept secret from the server (which is only possible via client-side encryption).
Traditionally, client-side encryption has been difficult to implement and manage – as well as expensive – but this is no longer the case, meaning that organisations of any size can now start benefiting from its extensive data protection capabilities, while also complying with the ‘pseudonymisation’ requirements of GDPR (Chapter 1, Article 4).
Come and meet Scram Software at stand X98 at Infosecurity Europe, June 5-7th, Olympia, London
@ScramSoftware
A computer programmer and entrepreneur from Melbourne, Australia, Linus Chang is an accomplished educator, speaker and software developer, specialising in information security and is CEO of Scram Software.
Linus is known for making complex tasks simple. In a 20 year career, he has founded two software companies (Scram Software and BackupAssist) specialising in producing data protection products including the recently launched ScramFS.
His products, encompassing the fields of data backup, ransomware protection, and encryption, have been sold to 165 countries, with clients including corporates, non-profits, government departments and hundreds of thousands of SMEs.
The topic of Data Protection will be covered throughout the free-to-attend conference at Infosecurity Europe in London from 4-6 June. See all the talks on Data Protection here. Infosecurity Europe is the leading European event for information and cyber security; find out more and secure your free visitor badge.